The second security flaw affecting Ottokit (previously Suretriggers) WordPress plugins are actively exploited in the wild.
The vulnerability tracked as CVE-2025-27007 (CVSS score: 9.8) is a privilege escalation bug affecting all versions of plugins prior to version 1.0.82.
“This is because the create_wp_connection() feature lacks feature checks and insufficient user authentication credential verification,” Wordfence said. “This allows unrecognized attackers to establish connections and ultimately allow privilege escalation.”
That said, vulnerabilities are only exploited in two possible scenarios –
- If the site has never validated or used an application password and Ottokit has not previously connected to the website using an application password
- When an attacker can authenticate access to the site and generate a valid application password
WordFence revealed that it observed that threat actors attempting to exploit the initial connection vulnerability to establish a connection with the site and using it to create an administrative user account via an automation/action endpoint.
Furthermore, the attack is aiming for CVE-2025-3102 (CVSS score: 8.1).
This increases the likelihood that threat actors will opportunistically scan WordPress installations to see if they are susceptible to one of the two flaws. Below are the observed IP addresses targeting vulnerabilities –
- 2A0B: 4141: 820: 1F4 :: 2
- 41.216.188.205
- 144.91.119.115
- 194.87.29.57
- 196.251.69.118
- 107.189.29.12
- 205.185.123.102
- 198.98.51.24
- 198.98.52.226
- 199.195.248.147
Given that the plugin has over 100,000 active installations, it is essential that users move quickly to apply the latest patch (version 1.0.83).
“Attackers may have begun actively targeting this vulnerability on May 2, 2025.
